Help needed (port 1040 open)
Results 1 to 10 of 10

Thread: Help needed (port 1040 open)

  1. #1
    Member
    Join Date
    Jan 2006
    Posts
    32

    Help needed (port 1040 open)

    Hi all!
    Well, I was trying to secure my box, and I ran netstat -a -n and found the tcp port 1040 open (among other ports which I know why are they there for).
    I tried to find information on how could this happen, and the most likely is that I have a virus. Well, I have the avast with the latest db and no virus was found.
    I looked at the programs that are being started during windows start and I didn't find anything unusual.
    I'd like to diagnose why this port is open, and then I'd like to fix the problem
    What would you suggest me to do?

    Thanks in advance!!!

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Go to http://www.foundstone.com/index.htm?...desc/fport.htm run that utility and see what it comes back with..

    Netstat is nice but doesn't link the information very well.. it doesn't tie everything together.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Netarx has the "lease" for port 1040 both TCP and UDP - does it ring any bells for you?

    Try netstat -ano , the "o" switch brings up a PID column, take a look at the PID of what had the port open, the CTL ALT DEL to the task manager, if the PID isnt there go View > Select Columns and then tick the PID box.

    Take a look at what application has the port open and then post it here if you are not sure what it is!

    gl
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  4. #4
    Member
    Join Date
    Jan 2006
    Posts
    32
    Hi HT!

    Go to http://www.foundstone.com/index.htm?...desc/fport.htm run that utility and see what it comes back with..
    Thanks for your really prompt answer! I went there and downloaded the tool. This is now part of my list of favourite tools!
    What I found is that the process listening to that port was the IIS. I couldn't find anything related to this port in the IIS configuration. My OS is Windows XP SP2. I have the default web site listening on port 80.
    There may be something wrong with my IIS.
    Now that I know that this is served by the IIS, I am more relaxed. However I still have to investigate why this could be happenning.

    Once again, thanks!!

  5. #5
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Is it possible you are being hacked by the IRS? It is tax season and the port is 1040. I dont think it is a coincidence!

    j/k!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  6. #6
    Member
    Join Date
    Jan 2006
    Posts
    32
    Hi Nokia!

    Thanks for answering!
    Netarx has the "lease" for port 1040 both TCP and UDP - does it ring any bells for you?
    Well, it doesn't ring any bells, unfortunately.

    Try netstat -ano , the "o" switch brings up a PID column, take a look at the PID of what had the port open, the CTL ALT DEL to the task manager, if the PID isnt there go View > Select Columns and then tick the PID box.
    I wasn't aware of the 'o' flag for netstat. My fault. I should have read more carefully the documentation

    Before reading your post, I used the Fport tool and it told me that the process was the IIS. I don't know how this could be, since my website is running on port 80.
    After reading your post, I double checked and the netstat says the same thing: on port 1040 is running the IIS (inetinfo.exe).

    I will try to find deeper information on IIS to see how this may happen.

    Once again, thanks a lot!!!

    Cheers

  7. #7
    Member
    Join Date
    Jan 2006
    Posts
    32
    Hi Deeboe!!
    Is it possible you are being hacked by the IRS? It is tax season and the port is 1040. I dont think it is a coincidence!
    Well... I didn't supply them with my IP in the last fiscal year!



    Cheers !!!

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Your very welcome!

    Process File: inetinfo or inetinfo.exe
    Process Name: IIS Admin Service Helper

    Description:
    inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.

    Note: inetinfo.exe is also a process which is registered as the Trojan.W32.RONTOKBRO. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open itís hostile attachment. The worm has itís own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

    Determining whether this process is a virus or a Windows process depends on the directory location it executes or runs from in WinTasks.

    C+P'd from here:
    http://www.liutilities.com/products/...rary/inetinfo/
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  9. #9
    Well it could also be an internal port. Fport doesn't distinguish between ports used for internal communications, and external ports. Make sure your firewall logs all activity through that port. If the source Ip of all packets is 127.0.0.1 then its internal.

  10. #10
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    originally posted by yogurtu

    I wasn't aware of the 'o' flag for netstat. My fault. I should have read more carefully the documentation
    You can use 'netstat -a -b' where the '-b' option will display the executable involved in opening the connection... just a thought.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •